Security & Compliance

Healthcare-grade security, by design

We didn't retrofit a consumer product for healthcare. Every layer of Blue Lens Research was built with PHI protection and healthcare compliance in mind.

Discuss Your Requirements

Certifications & Compliance

The credentials healthcare buyers require, maintained through continuous validation.

HIPAA Compliant

Active

Full HIPAA compliance with administrative, physical, and technical safeguards.

  • End-to-end encryption (AES-256)
  • Access controls and audit logging
  • Employee training and policies
  • Incident response procedures

SOC 2 Type II

Certified

Independent verification of security, availability, and confidentiality controls.

  • Annual third-party audits
  • Continuous monitoring
  • Documented policies & procedures
  • Change management controls

BAA Ready

Available

Business Associate Agreements available for all healthcare customers.

  • Standard BAA template
  • Custom terms negotiable
  • Covered entity support
  • Subcontractor management

HITRUST CSF

Aligned

Controls aligned with HITRUST Common Security Framework for healthcare.

  • Risk-based approach
  • Control implementation
  • Gap assessment complete
  • Certification path defined

Data Protection

Multiple layers of protection for patient data at every stage.

Real-Time De-identification

PHI is automatically detected and masked during the interview itself—before data reaches our servers.

Safe Harbor Compliance

All 18 HIPAA identifiers are detected and removed following Safe Harbor de-identification methodology.

Data Residency

All data stored in HIPAA-compliant US data centers with SOC 2 certified infrastructure providers.

Role-Based Access

Granular permissions ensure only authorized personnel access specific data elements.

Audit Trails

Complete logging of all data access, modifications, and exports for compliance auditing.

Data Retention

Configurable retention policies with secure deletion procedures meeting healthcare requirements.

IRB-Supportive Documentation

We don't claim to be "IRB approved" (that's institution-specific), but we provide all the documentation you need for a smooth IRB submission process.

Most qualitative research using our platform qualifies for expedited review under Category 7 of the Common Rule, covering "research on individual or group characteristics or behavior."

IRB Documentation Package

  • Pre-built consent form templates
  • Customizable interview protocols
  • Data handling documentation
  • De-identification methodology summary
  • Participant recruitment procedures
  • Security controls overview
  • Risk assessment documentation
  • Expedited review qualification support

Business Associate Agreements

We execute BAAs with all healthcare customers as a standard part of our enterprise agreements. Our BAA template has been reviewed and accepted by major health systems and payers.

Request BAA Documentation

Frequently Asked Questions

Do you sign Business Associate Agreements?

Yes. We provide BAAs to all healthcare customers as a standard part of our enterprise agreements. We also work with customers on custom terms when needed.

Where is patient data stored?

All data is stored in HIPAA-compliant data centers in the United States. Our infrastructure providers maintain SOC 2 Type II certification and support BAAs.

How does de-identification work?

Our AI automatically detects and masks PHI in real-time during interviews using Safe Harbor methodology. This includes names, dates, locations, and other HIPAA-specified identifiers. De-identification happens before data is stored.

Can we use Blue Lens Research for IRB-reviewed research?

Yes. Our platform provides documentation and consent management tools designed to support IRB submissions. Most qualitative research qualifies for expedited review under Category 7.

What happens to audio/video recordings?

Recordings are transcribed with automatic de-identification. Original recordings can be deleted immediately after transcription, or retained per your organization's requirements with appropriate access controls.

Do you have a security questionnaire we can review?

Yes. We maintain completed SIG, HECVAT, and custom security questionnaire responses. Contact us to receive these documents under NDA.

Ready to discuss your compliance requirements?

Our team has deep experience navigating healthcare compliance. Let's talk about your specific needs.